We provide course about bulletproof APIs: Hands-On API Security. As APIs become a big part of our tech world, making sure they´re secure is key. The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention.
Content:
Building secure APIs isn´t easy, though. It needs developers and architects to really get API security, from the big picture down to the nitty-gritty details. This workshop is here to give you the skills you need to make your APIs secure. We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With deep-dive talks, real-world demos, fun quizzes, and hands-on labs, you'll learn how to lock down your APIs.
During this hands-on training, we'll explore:
• The security model of API-based web applications
• Recognizing and addressing authorization failures
• Understanding Broken Object Property Level Authorization (BOPLA)
• Fixing Broken Object Level Authorization (BOLA)
• Testing the security of APIs that use JWTs
• Best practices for making JWTs secure in modern APIs
• Identifying, exploiting, and fixing Server-Side Request Forgery (SSRF) issues
• Understanding Cross-Origin Resource Sharing (CORS)
• Configuring secure CORS policies for various use cases
• Tracking user authentication securely with sessions or tokens
• Relying on OAuth 2.0/2.1 for securing APIs
• Advanced OAuth 2.x scenarios
• Quizzes and labs to make learning stick
• Q & A throughout the workshop to clear up any doubts
This workshop is about more than theory. We're all about giving you practical security tips you can use right away as an API developer. We dig into the root causes of API threats and how to handle them. We don't just skim the surface of problems and solutions - we get into the why's and how's, looking at common fixes, why some fall short, and which ones are currently the best way to go. By the end of this workshop, you'll be up-to-speed on the best practices for API security. You'll also leave with a handy list of steps to check and boost the security of your applications.
Speaker: Philippe De Ryck, Founder of Pragmatic Web Security, Google Developer Expert
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. Google recognizes Philippe as a Google Developer Expert for his work on security in Angular applications.
Target audience:
This training is perfect for developers and architects who work a lot with APIs. If your role involves building, testing, or designing modern apps, this workshop will give you a thorough, up-to-date understanding of the best ways to keep things secure. We'll often use NodeJS, Flask, and Spring Boot in our code examples and demos, but you'll easily be able to apply what you learn to other languages and frameworks.
Prerequisites:
• To participate in this training, you should have some experience with building API-based applications
• Knowledge of application security can be helpful, but is not required
Computer setup:
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (preferably Chrome).